Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-h6w8-52mq-4qxc: Apache Linkis contains Deserialization of Untrusted Data

In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users to upgrade the version of Linkis to version 1.3.1.

ghsa
Open in Source
#sql#vulnerability#apache#git#java#rce#maven
GHSA-rx76-xw35-6rh8: Apache Linkis vulnerable to Exposure of Sensitive Information

In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, an authenticated attacker could read arbitrary local file by connecting a rogue mysql server, By adding allowLoadLocalInfile to true in the jdbc parameter. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users upgrade the version of Linkis to version 1.3.1

GHSA-rc47-6667-2j5j: http-cache-semantics vulnerable to Regular Expression Denial of Service

http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

GHSA-r4hg-4cpq-q57c: jSuites subect to Cross-site Scripting

Versions of the package jsuites before 5.0.1 are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization in the Editor() function.

GHSA-c6rx-gxqv-vr5j: nemo-appium vulnerable to OS Command Injection

Versions of the package nemo-appium before 0.0.9 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports.setup' function. **Note:** In order to exploit this vulnerability appium-running 0.1.3 has to be installed as one of nemo-appium dependencies.

GHSA-pp4w-9x82-6r47: Apache IoTDB contains Improper Authentication

Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoTDB: from 0.13.0 before 0.13.3.

GHSA-rw83-v3pw-m362: Withdrawn: safeurl-python contains Server-Side Request Forgery

## Withdrawn This advisory has been withdrawn as a duplicate of [GHSA-jgh8-vchw-q3g7](https://github.com/advisories/GHSA-jgh8-vchw-q3g7). ## Original Description isInList in the safeurl-python package before 1.2 for Python has an insufficiently restrictive regular expression for external domains, leading to SSRF.

GHSA-88v8-v46g-6c9w: Servst vulnerable to Path Traversal

Versions of the package servst before 2.0.3 are vulnerable to Directory Traversal due to improper sanitization of the filePath variable.

GHSA-mf6x-hrgr-658f: Eta vulnerable to Code Injection via templates rendered with user-defined data

Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. **Note:** This is exploitable only for users who are rendering templates with user-defined data.

GHSA-w7w4-qjgg-372x: Froxlor contains Static Code Injection

Static Code Injection in GitHub repository froxlor/froxlor prior to 2.0.10.